What is the best way to add a shared workgroup device on Intune?

EE-9037 526 Reputation points
2021-11-05T23:17:24.537+00:00

Hi,

I have a workgroup computer (Windows 10) use for a conference room with an auto-login setup so users and guests don’t need to log in. The machine goes straight to the desktop upon bootup. I have to add this device to Intune.

If I add this device to Accounts > Settings > Access work or school > Connect > my options are to join the device in Azure AD or the local domain. But this computer can’t be joined to the domain. It has to stay in a workgroup. I have multiple questions. Please advise.

  • If I choose Azure Active Directory, what account should I use? Should I create a DEM Account, assign a license to it, and register the device using this account?
  • Our O365 license allows up to 5 devices. Does this follow with the DEM Account? But I read that DEM can register up to 1000 devices? Does it mean that the 5-device limit goes up to 1000 allowable devices?
  • What is the best and correct way to add this workgroup computer to Intune?

Please advise. I’d appreciate it. Thank you.

Microsoft Intune Enrollment
Microsoft Intune Enrollment
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Enrollment: The process of requesting, receiving, and installing a certificate.
1,255 questions
0 comments
Accepted answer
  1. Jason Sandys 31,166 Reputation points Microsoft Employee
    2021-11-08T15:44:44.02+00:00

    Since this is a shared device, you 100% should be using a DEM account here to enroll the device and you should also have a device license purchased and available for it.

    To enroll in Intune, the device must have an AAD identity as well which means it must be AAD registered, AAD joined, or hybrid AAD joined. Since you don't want to join it to your on-prem domain, hybrid AAD join is not valid. Assuming that the same local user account is used to login to the device, then you should probably just AAD register the device -- this will happen for you automatically when you enroll it in Intune.

    I strongly suggest you use kiosk mode as well as noted by @Pavel yannara Mirochnitchenko to add a level of security since any device on the network could easily be used by a bad actor.

    1 person found this answer helpful.
    0 comments

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Pavel yannara Mirochnitchenko 11,716 Reputation points MVP
    2021-11-07T18:17:27.893+00:00

    Consider Autopilot Self-Deploying mode and Windows 10 Kiosk configuration. It allows you to automate the login process without user and you can select one app or multiple app to run.

    1 person found this answer helpful.
    0 comments
  2. Simon Ren-MSFT 30,506 Reputation points Microsoft Vendor
    2021-11-08T09:32:00.19+00:00

    Hi,

    Thanks for posting in Microsoft Q&A forum.

    ==>my options are to join the device in Azure AD or the local domain. But this computer can’t be joined to the domain. It has to stay in a workgroup.
    Yes, the computer could be an Azure AD Join and workgroup device. Not like on-promise AD, a device that jions AAD can still stay in a workgroup.

    1,If I choose Azure Active Directory, what account should I use? Should I create a DEM Account, assign a license to it, and register the device using this account?
    You can use a normal AAD accout with Intune license or a DEM Account that also must be assigned an Intune license.

    2,Our O365 license allows up to 5 devices. Does this follow with the DEM Account? But I read that DEM can register up to 1000 devices? Does it mean that the 5-device limit goes up to 1000 allowable devices?

    Does the O365 license refer to Office 365 E3 or E5 license? If yes, In my lab, I find Office 365 E3/E5 licenses don't have an Intune license. A DEM account user must be assigned an Intune license. Refer to:Limitations of devices that are enrolled with a DEM account

    147353-o365.png

    3,What is the best and correct way to add this workgroup computer to Intune?
    You could use Company Portal or just enter your AAD email address after Access work or school > Connect.

    Hope it helps. Thanks for your time.

    Best regards,
    Simon

    If the response is helpful, please click "Accept Answer" and upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  3. EE-9037 526 Reputation points
    2021-11-08T16:20:37.35+00:00

    What happens if

    • I create a DEM account and assign it with an E3 license and Intune license. Our E3 license is allowed to be used for up to 5 devices and comes with P1 Intune license.
    • Assign this DEM account DEM Role.
    • Create a Shared Work Device profile on Intune, enable only the Shared PC Mode setting but not configure the Guest account, Kiosk, or Account management.

    Will this setup work? I mean, will the five E3 license limit be replaced with the 1000 limit of the DEM role? This is where I get confused.

    If I assign the Shared Work Device profile to the machine, what does enabling only the "Shared PC Mode" mean without enabling the Guest account or Account Management. I don't understand what I gain from this Shared PC Mode profile setting in this scenario.

    The PC's current setup is: Windows 10, Computer in the workgroup, with Auto-login admin account. Cannot be in a Kiosk or limited account. Needs to be managed Co-managed (I already got this part setup) and on Intune to receive Windows Update Ring Policy we have on Intune. I was able to register it on Intune but not clear to me how the license work in this case with the DEM account\role but with an E3 and Intune license.

    Thank you everyone for your time responding to my questions. @Jason Sandys @Simon Ren-MSFT

    0 comments